Security Culture

Security Culture

This question of security culture is discussed in Luke’s group.

IMO, culture is a big issue and varies from company to company. I would

  1. clarify the management’s expectation upon security and culture,
  2. set the goals according to those expectations and/or requirements,
  3. analyze the dimensions of security culture, and
  4. define metrics and KPIs to measure if the goals are achieved.

The following are some factors to consider:

  • the risk appetite of the board,
  • arrangement of the security function,
  • the soundness of the policy framework,
  • security budget,
  • meeting frequency or attendance of the management,
  • the readiness of the management system,
  • total hours of training and education,
  • the number of incidents reported, and
  • sense of urgency and accountability, etc.

Leave a Reply